<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><blockquote type="cite"><div>do pluto and charon both load the attr-sql and sqlite plugins?<br>ipsec statusall should enumerate them.<br></div></blockquote><div><br></div><div>For pluto:</div><div><div>000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve </div><div><br></div><div>For charon:</div><div><br></div><div><div>loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp </div></div><div><br></div><div><div>(It looks like the answer is yes to both)</div></div><div><br></div><div>My ipsec.sql is imported from:</div><div><br></div><div><a href="http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql">http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql</a></div><div><br></div><div>And, for the sake of thoroughness, my /etc/strongswan.conf:</div><div><br></div><div><div>charon {</div><div> threads = 16</div><div> plugins {</div><div> sql {</div><div> loglevel = -1</div><div> database = <a href="sqlite:///etc.ipsec.d/ipsec.db">sqlite:///etc.ipsec.d/ipsec.db</a></div><div> }</div><div> }</div><div>}</div></div><div><br></div><div>pluto {</div><div>}</div><div><br></div><div>libstrongswan {</div><div>}</div><div><br></div><div><div>libhydra {</div><div> plugins {</div><div> attr-sql {</div><div> database = <a href="sqlite:///etc/ipsec.d/ipsec.db">sqlite:///etc/ipsec.d/ipsec.db</a></div><div> }</div><div> }</div><div>}</div><div><br></div><div>pool {</div><div> load = sqlite</div><div>}</div></div><div><br></div><div>Lastly, the output of ipsec statusall</div><div><br></div><div><div>000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):</div><div>000 interface eth0/eth0 2001:1938:240::1:500</div><div>000 interface lo/lo ::1:500</div><div>000 interface sixxs/sixxs 2001:1938:81:a5::2:500</div><div>000 interface lo/lo 127.0.0.1:4500</div><div>000 interface lo/lo 127.0.0.1:500</div><div>000 interface eth2/eth2 192.168.2.1:4500</div><div>000 interface eth2/eth2 192.168.2.1:500</div><div>000 interface eth0/eth0 192.168.1.1:4500</div><div>000 interface eth0/eth0 192.168.1.1:500</div><div>000 interface eth1/eth1 76.27.20.26:4500</div><div>000 interface eth1/eth1 76.27.20.26:500</div><div>000 interface tun0/tun0 192.168.3.1:4500</div><div>000 interface tun0/tun0 192.168.3.1:500</div><div>000 %myid = '%any'</div><div>000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve </div><div>000 debug options: none</div><div>000 </div><div>000 "rw-dmz": 192.168.2.0/24===192.168.1.1[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]===%hostpool; unrouted; eroute owner: #0</div><div>000 "rw-dmz": CAs: "C=US, <foo>"..."C=US, <foo>"</div><div>000 "rw-dmz": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-dmz": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-dmz": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth0; </div><div>000 "rw-dmz": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-l2tp": 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]:17/%any; unrouted; eroute owner: #0</div><div>000 "rw-l2tp": CAs: "C=US, <foo>"..."C=US, <foo>"</div><div>000 "rw-l2tp": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-l2tp": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-l2tp": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1; </div><div>000 "rw-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-l2tp-nat": 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%virtual[C=US,<foo>, CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0</div><div>000 "rw-l2tp-nat": CAs: "C=US, <foo>"..."C=US, <foo>"</div><div>000 "rw-l2tp-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-l2tp-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-l2tp-nat": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1; </div><div>000 "rw-l2tp-nat": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-l2tp-psk": 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%any[%any]:17/%any; unrouted; eroute owner: #0</div><div>000 "rw-l2tp-psk": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-l2tp-psk": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-l2tp-psk": policy: PSK+ENCRYPT+COMPRESS; prio: 32,32; interface: eth1; </div><div>000 "rw-l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-l2tp-psk-nat": 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0</div><div>000 "rw-l2tp-psk-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-l2tp-psk-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-l2tp-psk-nat": policy: PSK+ENCRYPT+COMPRESS; prio: 32,32; interface: eth1; </div><div>000 "rw-l2tp-psk-nat": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-local": 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]===%hostpool; unrouted; eroute owner: #0</div><div>000 "rw-local": CAs: "C=US, <foo>"..."C=US, <foo>"</div><div>000 "rw-local": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-local": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-local": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1; </div><div>000 "rw-local": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 "rw-local-nat": 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%virtual[C=US,<foo>, CN=*, E=*]===?; unrouted; eroute owner: #0</div><div>000 "rw-local-nat": CAs: "C=US, <foo>"..."C=US, <foo>"</div><div>000 "rw-local-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</div><div>000 "rw-local-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;</div><div>000 "rw-local-nat": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1; </div><div>000 "rw-local-nat": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 </div><div>Status of IKEv2 charon daemon (strongSwan 4.4.1):</div><div> uptime: 9 hours, since Sep 24 00:07:12 2010</div><div> malloc: sbrk 516096, mmap 0, used 441552, free 74544</div><div> worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0</div><div> loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp </div><div>Listening IP addresses:</div><div> 192.168.2.1</div><div> 192.168.1.1</div><div> 2001:1938:240::1</div><div> 76.27.20.26</div><div> 2001:1938:81:a5::2</div><div> 192.168.3.1</div><div>Connections:</div><div>rw-charon-mobike: 76.27.20.26...%any, dpddelay=30s</div><div>rw-charon-mobike: local: [<a href="http://myhost.fdqn.net">myhost.fdqn.net</a>] uses public key authentication</div><div>rw-charon-mobike: cert: "C=US,<foo>, CN=myhost.fdqn.net, <a href="mailto:E=root@myhost.fdqn.net">E=root@myhost.fdqn.net</a>"</div><div>rw-charon-mobike: remote: [C=US,<foo>, CN=*, E=*] uses any authentication</div><div>rw-charon-mobike: child: 192.168.1.0/24 === dynamic , dpdaction=clear</div><div> rw-charon: child: 192.168.1.0/24 === dynamic , dpdaction=clear</div><div> rw: 76.27.20.26...%any, dpddelay=30s</div><div> rw: local: [<a href="http://myhost.fdqn.net">myhost.fdqn.net</a>] uses public key authentication</div><div> rw: cert: "C=US,<foo>, CN=myhost.fdqn.net, <a href="mailto:E=root@myhost.fdqn.net">E=root@myhost.fdqn.net</a>"</div><div> rw: remote: [C=US,<foo>, CN=*, E=*] uses any authentication</div><div> rw: child: dynamic === dynamic , dpdaction=clear</div><div>Security Associations:</div><div> none</div><div><br></div></div><div>Thanks.</div></div><br><blockquote type="cite"><div>Regards<br><br>Andreas<br><br>On 24.09.2010 07:20, Troy Telford wrote:<br><blockquote type="cite">I must be a problem child... but I'm learning fast.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I'm mostly satisfied with L2TP (Save for my last tunnel/transport <br></blockquote><blockquote type="cite">question), so I've moved on to the more secure 'pure' IPsec <br></blockquote><blockquote type="cite">configurations.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I've been following:<br></blockquote><blockquote type="cite"><a href="http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/</a><br></blockquote><blockquote type="cite"><a href="http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I have the ipsec pool configured properly, I believe; 'ipsec pool <br></blockquote><blockquote type="cite">--status' shows the pool I'm expecting, at any rate. However, with <br></blockquote><blockquote type="cite">both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP <br></blockquote><blockquote type="cite">addresses.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">With IKEv1, I've got the OS X client so it is able to establish an <br></blockquote><blockquote type="cite">IPsec SA. It has the config option "mode_cfg on". However, I'm not <br></blockquote><blockquote type="cite">seeing any ModeCfg messages in 'auth.log | grep pluto'.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">For IKEv2, the error is:<br></blockquote><blockquote type="cite">Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any<br></blockquote><blockquote type="cite">Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending <br></blockquote><blockquote type="cite">INTERNAL_ADDRESS_FAILURE<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">My network is as follows:<br></blockquote><blockquote type="cite"><something> - Dynamic address; I use DynDNS to resolve it to a host name.<br></blockquote><blockquote type="cite">192.168.1.1/24 (Main address space)<br></blockquote><blockquote type="cite">192.168.2.1/24 (DMZ address space; unused)<br></blockquote><blockquote type="cite">192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked <br></blockquote><blockquote type="cite">at the firewall)<br></blockquote><blockquote type="cite">192.168.4.1/26 (IPsec pool)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So I think a connection would be along the lines of:<br></blockquote><blockquote type="cite">(Int. network) (Internet IP) (RW ISP) Road Warrior<br></blockquote><blockquote type="cite">192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">My configuration (with L2TP removed, for clarity) is as follows:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">config setup<br></blockquote><blockquote type="cite"> crlcheckinterval="600"<br></blockquote><blockquote type="cite"> cachecrls=yes<br></blockquote><blockquote type="cite"> nat_traversal=yes<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> interfaces=%defaultroute<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn %default<br></blockquote><blockquote type="cite"> keyingtries=1<br></blockquote><blockquote type="cite"> ikelifetime=60m<br></blockquote><blockquote type="cite"> keylife=20m<br></blockquote><blockquote type="cite"> rekeymargin=3m<br></blockquote><blockquote type="cite"> keyexchange=ikev2<br></blockquote><blockquote type="cite"> ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536<br></blockquote><blockquote type="cite"> esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536<br></blockquote><blockquote type="cite"> compress=yes<br></blockquote><blockquote type="cite"> left=%defaultroute<br></blockquote><blockquote type="cite"> right=%any<br></blockquote><blockquote type="cite"> dpddelay=30<br></blockquote><blockquote type="cite"> dpdtimeout=120<br></blockquote><blockquote type="cite"> dpdaction=clear<br></blockquote><blockquote type="cite"> pfs=yes<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn rw-local-nat<br></blockquote><blockquote type="cite"> rightsubnet=vhost:%no,%priv<br></blockquote><blockquote type="cite"> also=rw-local<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn rw-local<br></blockquote><blockquote type="cite"> keyexchange=ikev1<br></blockquote><blockquote type="cite"> # Supposedly rekey can be no, because the client will ask for it...<br></blockquote><blockquote type="cite"> rekey=no<br></blockquote><blockquote type="cite"> leftsubnet=192.168.1.0/24<br></blockquote><blockquote type="cite"> rightsourceip=%hostpool<br></blockquote><blockquote type="cite"> also=rw<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn rw-charon<br></blockquote><blockquote type="cite"> leftsubnet=192.168.1.0/24<br></blockquote><blockquote type="cite"> # In case we want a different (volatile) pool<br></blockquote><blockquote type="cite"> # rightsourceip=192.168.4.64/26<br></blockquote><blockquote type="cite"> rightsourceip=%hostpool<br></blockquote><blockquote type="cite"> also=rw<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn rw<br></blockquote><blockquote type="cite"> authby=rsasig<br></blockquote><blockquote type="cite"> leftrsasigkey=%cert<br></blockquote><blockquote type="cite"> rightrsasigkey=%cert<br></blockquote><blockquote type="cite"> leftcert=pilotCert.pem<br></blockquote><blockquote type="cite"> <a href="mailto:leftid=@pilot.pariahzero.net">leftid=@pilot.pariahzero.net</a><br></blockquote><blockquote type="cite"> rightid="C=US... CN=*, E=*"<br></blockquote><blockquote type="cite"> rightca=%same<br></blockquote><blockquote type="cite"> auto=add<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">$ ipsec pool --status<br></blockquote><blockquote type="cite">dns servers: 192.168.1.1<br></blockquote><blockquote type="cite">no nbns servers found.<br></blockquote><blockquote type="cite"> name start end timeout size online <br></blockquote><blockquote type="cite"> usage<br></blockquote><blockquote type="cite">hostpool 192.168.4.2 192.168.4.63 static 62 0 ( 0%) <br></blockquote><blockquote type="cite"> 0 ( 0%)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">$ ipsec pool --statusattr<br></blockquote><blockquote type="cite"> type description pool identity value<br></blockquote><blockquote type="cite"> 3 INTERNAL_IP4_DNS 192.168.1.1<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">$ ipsec pool --showattr<br></blockquote><blockquote type="cite">internal_ip4_netmask --addr (INTERNAL_IP4_NETMASK)<br></blockquote><blockquote type="cite">internal_ip6_netmask --addr (INTERNAL_IP6_NETMASK)<br></blockquote><blockquote type="cite">netmask --addr (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK)<br></blockquote><blockquote type="cite">internal_ip4_dns --addr (INTERNAL_IP4_DNS)<br></blockquote><blockquote type="cite">internal_ip6_dns --addr (INTERNAL_IP6_DNS)<br></blockquote><blockquote type="cite">dns --addr (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)<br></blockquote><blockquote type="cite">internal_ip4_nbns --addr (INTERNAL_IP4_NBNS)<br></blockquote><blockquote type="cite">internal_ip6_nbns --addr (INTERNAL_IP6_NBNS)<br></blockquote><blockquote type="cite">nbns --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)<br></blockquote><blockquote type="cite">wins --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)<br></blockquote><blockquote type="cite">internal_ip4_dhcp --addr (INTERNAL_IP4_DHCP)<br></blockquote><blockquote type="cite">internal_ip6_dhcp --addr (INTERNAL_IP6_DHCP)<br></blockquote><blockquote type="cite">dhcp --addr (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)<br></blockquote><blockquote type="cite">internal_ip4_server --addr (INTERNAL_IP4_SERVER)<br></blockquote><blockquote type="cite">internal_ip6_server --addr (INTERNAL_IP6_SERVER)<br></blockquote><blockquote type="cite">server --addr (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER)<br></blockquote><blockquote type="cite">application_version --string (APPLICATION_VERSION)<br></blockquote><blockquote type="cite">version --string (APPLICATION_VERSION)<br></blockquote><blockquote type="cite">unity_banner --string (UNITY_BANNER)<br></blockquote><blockquote type="cite">banner --string (UNITY_BANNER)<br></blockquote><blockquote type="cite">unity_def_domain --string (UNITY_DEF_DOMAIN)<br></blockquote><blockquote type="cite">unity_splitdns_name --string (UNITY_SPLITDNS_NAME)<br></blockquote><blockquote type="cite">unity_split_include --subnet (UNITY_SPLIT_INCLUDE)<br></blockquote><blockquote type="cite">unity_local_lan --subnet (UNITY_LOCAL_LAN)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So what do I need to do in order to get IP address assignment working?<br></blockquote><br><br>-- <br>======================================================================<br>Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></blockquote></div><br><div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-family: Helvetica; "><div>--</div><div>Troy Telford</div><div><a href="mailto:ttelford.groups@gmail.com">ttelford.groups@gmail.com</a></div></div>
</div>
<br></body></html>